Share this article on:
Chinese ISPs will have one hour to report incidents and 24 hours to provide analysis under new rules.
The Cyberspace Administration of China has released a proposed set of new rules for internet service providers and how they are required to report major cyber security incidents.
Under the proposal, operators will be required to make an initial report within an hour of the incident being detected.
“When a network security incident occurs, operators shall promptly activate emergency plans for handling,” the proposal said, according to Google Translate. “According to the ‘Guidelines for Classification of Cybersecurity Incidents’, any cyber security incident that is relatively large, major, or particularly major must be reported within one hour.”
The proposal also stated which “protection departments and public security organs” incidents should be reported to in the case of government networks. The one-hour limit also pertains to who those departments might need to report to.
“Other network and system operators should report to the local cyber security and information department,” the proposal said. “If it is a major or particularly major cyber security incident, the local cyber security and information department shall report to the higher-level cyber security and information department within one hour after receiving the report.”
A cyber security incident information reporting form will need to be filled out, which covers the name of the entity affected, initial analysis of the incident, any further investigations being carried out, and the possible “impacts and harms” that may follow.
If the cause cannot be identified within an hour, providers have another 24 hours to investigate, and a further “comprehensive analysis” of the incident, complete with response measures and lessons learnt, is required within five working days.
The proposed rules also cover what happens if a provider does not report an incident. Individuals and “social organisations” are encouraged to report any incidents themselves, and if an operator does fail in its reporting duty, harsh punishments could follow.
“If relevant departments fail to report cyber security incidents in accordance with the provisions of these measures, their superior authorities will order corrections, and the directly responsible person in charge and other directly responsible personnel will be punished in accordance with the law,” according to the proposed new rules. “Those suspected of committing crimes will be held criminally responsible in accordance with the law.”
The new rules apply to both private operators and government-owned networks and are open for public comment until 7 January.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.